Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

[P1363:] NTRUEncrypt in IEEE P1363: effects of NTRUSign attack

To: STDS-P1363-DISCUSS@xxxxxxxxxxxxxxxxx
Subject: [P1363:] NTRUEncrypt in IEEE P1363: effects of NTRUSign attack
From: "Whyte, William" <WWhyte@xxxxxxxx>
Date: Mon, 8 May 2006 06:40:50 -0400
List-Help: <http://listserv.ieee.org/cgi-bin/wa?LIST=STDS-P1363-DISCUSS>, <mailto:LISTSERV@LISTSERV.IEEE.ORG?body=INFO STDS-P1363-DISCUSS>
List-Owner: <mailto:STDS-P1363-DISCUSS-request@LISTSERV.IEEE.ORG>
List-Subscribe: <mailto:STDS-P1363-DISCUSS-subscribe-request@LISTSERV.IEEE.ORG>
List-Unsubscribe: <mailto:STDS-P1363-DISCUSS-unsubscribe-request@LISTSERV.IEEE.ORG>
Reply-To: "Whyte, William" <WWhyte@xxxxxxxx>
thread-index: AcZvlAHNmoBDdfYrQ8mGSzTjl7HxVwC9pAFw
Thread-Topic: NTRUEncrypt in IEEE P1363: effects of NTRUSign attack

Hi List,

On the call last month we discussed whether the recent
attacks on NTRUSign affect the standardization of NTRUEncrypt
in IEEE P1363.1. We decided that I should contact Phong
Nguyen, author of the paper, and ask his opinion.

I asked:

> We've just had an IEEE P1363 teleconference where we
> discussed how to take account of your NTRUSign transcript
> attack. A question that came up was whether or not your
> attacks affect NTRUEncrypt, and the group asked me to get
> your opinion on this. My understanding is that the attacks
> don't affect NTRUEncrypt; is this your understanding too?

Phong responded:

> Actually, I think the attacks may have an impact on decryption
> failure attacks.
> I ran a few experiments a while ago,
> but did not have the time to finish them.
> I hope to come back to it soon.
>
> So I think it is very important that all parameters completely
> prevent decryption failures, and not just heuristically.

This is consistent with the discussion we had on the call,
where we said that in the absence of decryption failures there
was no analogy to this attack. I think it further emphasises
the point Dan Brown was making that the 1363.1 security considerations
and parameter sets should explicitly only allow parameter sets with
no probability of decryption failures.

Phong also gave the following input re NTRUSign, which I think
is useful for the group to know:

> Regarding NTRUsign, I would really not recommend
> using the non-perturbated variant.
> The fact that the experiments succeeded with 90,000 signatures
> does not imply that less signatures (possibly 10,000)
> would be secure: we did not try to optimize the attack,
> neither in theory, nor in the experiments.

We'll revisit NTRUSign later in the year, but this backs up
Dan Brown's other point that in some senses 90,000 is quite
close to 10,000 and a successful attack based on 90,000
signatures doesn't give him confidence in the 10,000 bound.

I've cc'ed Phong on this mail in case he wants to follow up
on any of these points.

Cheers,

William

______________________________________________________________________
To unsubscribe, mail LISTSERV@LISTSERV.IEEE.ORG with
the body of the message containing: SIGNOFF STDS-P1363-DISCUSS
Send any concerns to STDS-P1363-DISCUSS-request@LISTSERV.IEEE.ORG,
or manage subscriptions at http://listserv.ieee.org/cgi-bin/wa
Visit IEEE P1363 on the web at: http://grouper.ieee.org/groups/1363
______________________________________________________________________

Prev by Date: [P1363:] Teleconference, June 13th, 12 noon EDT
Next by Date: Re: [P1363:] P1363.2 D24 plans
Prev by thread: Re: [P1363:] Teleconference, June 13th, 12 noon EDT
Next by thread: [P1363:] P1363.2 D24 plans
Index(es):
- Date
- Thread